Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Automation of kinit process without login into edge node for end users?

avatar
author-rank bandarusridhar1
Guru

Created ‎06-01-2016 03:58 PM

Hi,

Right now we are following this process:

kinit username@REALM.COM
Password for username@REALM.COM

Now end business analytical team doesn't want to login to Putty/Edge node and get a valid ticket all the time. Is there any way that we can automate to get a valid ticket as soon as they login either Windows/SAS/ any reporting tool? If yes, can you please share me the process to implement? Thanks in advance

17,020 Views
8 REPLIES 8

avatar
author-rank ravi1 author-rank
Guru

Created ‎06-01-2016 04:22 PM

Does your BA team on windows use AD ? If so, one way trust will work.

You need to configure your Kerberos server to trust AD. This way, any valid authenticated AD user will be trusted and he/she will not need another kinit from windows. You can take a look at one way trust setup here.

11,989 Views
0 Kudos

avatar
author-rank bandarusridhar1
Guru

Created ‎06-01-2016 04:41 PM

@Ravi Mutyala

No, they are on LDAP. Now, as soon as they login into the analytical tool like SAS/R/Internal tools etc., they need to login into edge node and get validate a ticket. They feel the pain of everytime logging and get a valid ticket everyday.

11,989 Views
0 Kudos

avatar
author-rank rsheikh
Contributor

Created ‎02-16-2018 05:58 PM

@Ravi MutyalaWill this work where client (desktop) connects to its server (win server) which then acts as a client to the HDP cluster. There is no direct login. We are not finding much info. Any advice?

11,989 Views
0 Kudos

avatar
author-rank emaxwell author-rank
Guru

Created ‎06-01-2016 07:45 PM

@Sri Bandaru

If all you need to do is automate the grabbing of the ticket, then you can set up a keytab file and use the login script to automatically kinit when the user logs in with something similar to the following:

> ktutil
  ktutil:  addent -password -p username@DOMAIN.COM -k 1 -e rc4-hmac
  Password for username@DOMAIN.COM: [enter your password]
  ktutil:  addent -password -p username@DOMAIN.COM -k 1 -e aes256-cts
  Password for username@DOMAIN.COM: [enter your password]
  ktutil:  wkt username.keytab
  ktutil:  quit
> mkdir /home/username/keytabs
> chmod 700 /home/username/keytabs
> mv username.keytab /home/username/keytabs
> chmod 600 /home/username/keytabs/username.keytab
> echo "kinit -kt /home/username/keytabs/username.keytab username@DOMAIN.COM" >> /home/username/.bash_profile

This will create a keytab for the user, move it into a secure directory, and automatically get a ticket when the user logs in with a bash shell.

If you are trying to automate the use of a ticket from the desktop, then you can use a similar method. You will have to install something like the Oracle JDK to get a kinit tool, but you can create the keytab on a Linux machine and copy it to the windows system. Obviously, whatever tool you are trying to use (SAS, etc.) will need to be able to pass the Kerberos ticket to the cluster for authentication.

11,989 Views

avatar
author-rank rsheikh
Contributor

Created ‎02-16-2018 06:26 PM

@emaxwell

Your explanation, specially last paragraph, is the most closest explanation I have come across, of what we are trying to resolve. Indeed (using SAS client on a desktop) that connects to a SAS server (as in a session) and the need is to pass the user's kerberos ticket to HDP from that server. We have turned the registry setting in WIN server so the ticket cache is shareable, but no go.

I was wondering if there is any doc or step by step that is available? Also, the steps you showed in code section above, needs to be done for ea. end user on the client (to HDP) server? There is NO direct end-user login to the server (only via clients). Is there anything that could have WIN OS perform kinit on behalf of the end user and pass that ticket to HDP.

Any insight is appreciated as we are going in circle.

*(Still discovering kerberos not expert level)

11,989 Views
0 Kudos

avatar
author-rank smartninja723
Expert Contributor

Created ‎06-07-2016 04:05 PM

@Sri Bandaru

You can use Quest authentication/authorization services. We use it in production to grant you a TGT when you login to the box.

11,989 Views
0 Kudos

avatar
author-rank bandarusridhar1
Guru

Created ‎06-07-2016 04:11 PM

@Smart Solutions

Can you please explain in details how do you use in production? Based on that I can figure out the plan how it works for me.

11,989 Views
0 Kudos

avatar
author-rank rsheikh
Contributor

Created ‎02-16-2018 05:52 PM

Precise pain point we see, if on Linux one could do PAM but zero info on WIN. I would add, how does one have WIN OS to kinit on a user's (session) behalf?

11,989 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements